fix: wire ticketing reports into gfa analyze, fix Confluence 401, quiet constraint noise (#32 #33 #34)

bobmatnyc · claude · bobmatnyc · commit 83e144604d87 · 2026-04-22T19:56:03.000-04:00
#32 — generate_all_reports() in analyze_pipeline_reports.py now calls TicketingActivityReport.write_reports() so github_issues_summary.json, confluence_activity_summary.json, and ticketing_activity_summary.json are produced by gfa analyze without a separate gfa report run. #33 — _resolve_env_var in loader_sections.py now warns on unset/empty env vars (${VAR} syntax) and ConfluenceIntegration.verify_credentials() runs a pre-flight GET on init; 401/403 disables the integration with a clear warning rather than silently emitting empty reports. #34 — metrics_storage.py UNIQUE constraint violations now log at DEBUG instead of ERROR; other unexpected DB errors downgraded to WARNING. 4 new tests confirm correct log levels. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/gitflow_analytics/config/loader_sections.py b/src/gitflow_analytics/config/loader_sections.py
@@ -7,6 +7,7 @@
 
 import logging
 import os
+import re
 from pathlib import Path
 from typing import Any, Optional
 
@@ -34,6 +35,14 @@
 )
 from .validator import ConfigValidator
 
+# Regex for embedded env-var references in config strings.
+# Matches both ``${VAR}`` and ``$VAR`` (latter only for ASCII identifiers).
+# WHY: Some users write ``api_token: "${CONFLUENCE_API_TOKEN}"`` but others may
+# inadvertently write ``$CONFLUENCE_API_TOKEN`` or embed the reference in a
+# larger string (e.g. ``"Bearer ${TOKEN}"``); handling all three keeps behaviour
+# predictable and backward compatible.
+_ENV_VAR_PATTERN = re.compile(r"\$\{([A-Za-z_][A-Za-z0-9_]*)\}|\$([A-Za-z_][A-Za-z0-9_]*)")
+
 logger = logging.getLogger(__name__)
 
 
@@ -512,7 +521,7 @@ def _process_pm_config(cls, pm_data: dict[str, Any]) -> Optional[Any]:
                     ),
                 },
             )()
-            pm_config.jira = jira_sub_config
+            pm_config.jira = jira_sub_config  # type: ignore[misc]
 
         return pm_config
 
@@ -563,30 +572,74 @@ def _process_pm_integration_config(
 
     @staticmethod
     def _resolve_env_var(value: Optional[str]) -> Optional[str]:
-        """Resolve environment variable references.
+        """Resolve environment variable references in a string.
+
+        Supports three syntaxes (all backward-compatible with prior
+        exact-match behaviour):
+
+        * ``${VAR}`` — braced reference (preferred, works anywhere in the
+          string).
+        * ``$VAR`` — unbraced reference (must be a valid identifier).
+        * Embedded references (e.g. ``"Bearer ${TOKEN}"``).
+
+        If a referenced variable is not set in ``os.environ``, the reference
+        is replaced with an empty string and a warning is logged — this
+        mirrors shell behaviour and lets callers decide whether the resulting
+        value is acceptable.  For the legacy whole-string ``${VAR}`` pattern
+        the function preserves the prior contract of returning ``None`` when
+        the variable is unset, so downstream ``or ""`` guards continue to
+        work.
 
         Args:
-            value: Value that may contain environment variable reference
+            value: Value that may contain environment variable reference(s).
 
         Returns:
-            Resolved value or None
-
-        Raises:
-            EnvironmentVariableError: If environment variable is not set
+            Resolved string, or ``None`` if the input was empty / the legacy
+            whole-string reference resolved to an unset variable.
         """
+        if value is None:
+            return None
+        if not isinstance(value, str):
+            return value  # type: ignore[return-value]
         if not value:
             return None
 
-        if value.startswith("${") and value.endswith("}"):
+        # Legacy whole-string ``${VAR}`` path — keep exact prior semantics so
+        # callers that rely on ``None`` (rather than "") continue to work.
+        if value.startswith("${") and value.endswith("}") and value.count("${") == 1:
             env_var = value[2:-1]
             resolved = os.environ.get(env_var)
             if not resolved:
-                # Note: We don't raise here directly, let the caller handle it
-                # based on whether the field is required
+                logger.warning(
+                    "Environment variable %r referenced in config is not set or empty; "
+                    "the resulting credential/value will be blank. Check your .env / "
+                    ".env.local files and shell environment.",
+                    env_var,
+                )
                 return None
             return resolved
 
-        return value
+        # Otherwise, perform substitution for every ``${VAR}`` / ``$VAR`` match.
+        if "$" not in value:
+            return value
+
+        missing: list[str] = []
+
+        def _sub(match: "re.Match[str]") -> str:
+            name = match.group(1) or match.group(2)
+            resolved = os.environ.get(name, "")
+            if not resolved:
+                missing.append(name)
+            return resolved
+
+        substituted = _ENV_VAR_PATTERN.sub(_sub, value)
+        if missing:
+            logger.warning(
+                "Environment variable(s) %s referenced in config are not set or empty; "
+                "substituted with empty strings. Check your .env / .env.local files.",
+                ", ".join(sorted(set(missing))),
+            )
+        return substituted
 
     @classmethod
     def _resolve_config_dict(cls, config_dict: dict[str, Any]) -> dict[str, Any]:
diff --git a/src/gitflow_analytics/core/analyze_pipeline_reports.py b/src/gitflow_analytics/core/analyze_pipeline_reports.py
@@ -25,14 +25,15 @@ def run_qualitative_analysis(
     all_commits: list[dict[str, Any]],
     enable_qualitative: bool,
     qualitative_only: bool,
-    display: Any,
+    _display: Any,
 ) -> QualitativeResult:
     """Run qualitative NLP/LLM analysis if enabled.
 
     Returns empty result when qualitative analysis is not configured or
     disabled.  Raises ImportError / Exception when qualitative_only=True
     and analysis cannot proceed.
     """
+    _ = _display  # passed by callers for progress output; not used in this layer
     from ..core.analyze_pipeline_helpers import (
         get_qualitative_config,
         is_qualitative_enabled,
@@ -390,7 +391,7 @@ def generate_all_reports(
     # ---- Narrative markdown ----
     if "markdown" in cfg.output.formats and generate_csv:
         try:
-            import pandas as pd
+            import pandas as pd  # type: ignore[import-not-found]
 
             activity_df = pd.read_csv(activity_report)
             focus_df = pd.read_csv(focus_report)
@@ -412,8 +413,8 @@ def generate_all_reports(
                 pr_metrics,
                 narrative_report,
                 weeks,
-                aggregated_pm_data,
-                chatgpt_summary,
+                aggregated_pm_data or {},
+                chatgpt_summary or "",
                 branch_health_metrics,
                 cfg.analysis.exclude_authors,
                 analysis_start_date=start_date,
@@ -446,6 +447,31 @@ def generate_all_reports(
         except Exception as e:
             logger.error("Database qualitative report failed: %s", e)
 
+    # ---- Ticketing activity report (GitHub Issues + Confluence) ----
+    # Mirrors the guarded block in ``pipeline_report.py`` so that `gfa analyze`
+    # emits the same three JSON summaries (github_issues_summary.json,
+    # confluence_activity_summary.json, ticketing_activity_summary.json) that
+    # `gfa report` produces. Only runs when at least one upstream source is
+    # enabled in configuration.  See GitHub issue #32.
+    gh_issues_cfg = getattr(cfg, "github_issues", None)
+    confluence_cfg = getattr(cfg, "confluence", None)
+    if (gh_issues_cfg and getattr(gh_issues_cfg, "enabled", False)) or (
+        confluence_cfg and getattr(confluence_cfg, "enabled", False)
+    ):
+        try:
+            from ..reports.ticketing_activity_report import TicketingActivityReport
+
+            ticket_gen = TicketingActivityReport(
+                cache=analyzer.cache, identity_resolver=identity_resolver
+            )
+            written = ticket_gen.write_reports(output, start_date, end_date)
+            for path_str in written:
+                name = Path(path_str).name
+                if name not in generated_reports:
+                    generated_reports.append(name)
+        except Exception as e:
+            logger.error("Ticketing activity report failed: %s", e)
+
     # ---- Comprehensive JSON export ----
     if "json" in cfg.output.formats:
         try:
@@ -494,7 +520,7 @@ def generate_all_reports(
 
 def _gen_csv_report(
     label: str,
-    fn: Callable[[Path], None],
+    fn: Callable[[Path], Any],
     path: Path,
     report_list: list[str],
     reraise: bool = False,
diff --git a/src/gitflow_analytics/core/metrics_storage.py b/src/gitflow_analytics/core/metrics_storage.py
@@ -8,12 +8,12 @@
 import logging
 from collections import defaultdict
 from contextlib import contextmanager
-from datetime import date, datetime
+from datetime import date, datetime, timezone
 from pathlib import Path
 from typing import Any, Optional, TypedDict, cast
 
-from sqlalchemy import and_, func
-from sqlalchemy.orm import Session
+from sqlalchemy import and_, func  # type: ignore[import-not-found]
+from sqlalchemy.orm import Session  # type: ignore[import-not-found]
 
 from ..models.database import DailyMetrics, Database
 from ..utils.ai_detection import detect_ai_tool, is_ai_generated
@@ -152,7 +152,7 @@ def store_daily_metrics(
                     if existing:
                         # Update existing record
                         self._update_metrics_record(existing, metrics)
-                        existing.updated_at = datetime.utcnow()
+                        existing.updated_at = datetime.now(timezone.utc).replace(tzinfo=None)
                         logger.debug(
                             f"Updated existing daily metrics for {dev_id} in {project_key} on {analysis_date}"
                         )
@@ -180,9 +180,15 @@ def store_daily_metrics(
                     records_processed += 1
 
                 except Exception as e:
-                    logger.warning(
-                        f"Failed to store/update daily metrics for {dev_id} in {project_key} on {analysis_date}: {e}"
-                    )
+                    is_unique_violation = "UNIQUE constraint failed" in str(e)
+                    if is_unique_violation:
+                        logger.debug(
+                            f"UNIQUE constraint conflict for {dev_id} in {project_key} on {analysis_date}: {e}"
+                        )
+                    else:
+                        logger.warning(
+                            f"Failed to store/update daily metrics for {dev_id} in {project_key} on {analysis_date}: {e}"
+                        )
                     session.rollback()
                     # Try to handle UNIQUE constraint violations by doing another lookup
                     try:
@@ -200,18 +206,19 @@ def store_daily_metrics(
                         if existing:
                             # Record was created by another process, just update it
                             self._update_metrics_record(existing, metrics)
-                            existing.updated_at = datetime.utcnow()
+                            existing.updated_at = datetime.now(timezone.utc).replace(tzinfo=None)
                             session.commit()
                             records_processed += 1
                             logger.info(
                                 f"Updated metrics after constraint violation for {dev_id} in {project_key} on {analysis_date}"
                             )
                         else:
-                            logger.error(
+                            # UNIQUE violation but record gone — expected during re-classification
+                            logger.debug(
                                 f"Could not resolve constraint violation for {dev_id} in {project_key} on {analysis_date}"
                             )
                     except Exception as retry_e:
-                        logger.error(
+                        logger.warning(
                             f"Retry failed for {dev_id} in {project_key} on {analysis_date}: {retry_e}"
                         )
                         session.rollback()
diff --git a/src/gitflow_analytics/integrations/confluence_integration.py b/src/gitflow_analytics/integrations/confluence_integration.py
@@ -101,6 +101,63 @@ def _build_session(self) -> requests.Session:
         session.headers.update(self.headers)
         return session
 
+    # ------------------------------------------------------------------
+    # Pre-flight credential check
+    # ------------------------------------------------------------------
+    def verify_credentials(self) -> None:
+        """Perform a lightweight authenticated probe against Confluence.
+
+        Issues a single ``GET {base_url}/rest/api/space?limit=1`` request and
+        raises :class:`RuntimeError` with a descriptive message on any
+        authentication failure.  This surfaces credential problems during
+        orchestrator initialization instead of during the first
+        ``fetch_all_spaces`` call, where failures would previously be
+        swallowed and silently produce an empty report (see issue #33).
+
+        Raises:
+            RuntimeError: If credentials appear invalid (missing creds, HTTP
+                401/403, or other request-level failure).
+        """
+        # Fail fast on obviously-missing credentials rather than issuing a
+        # guaranteed-401 request.
+        if not self.base_url:
+            raise RuntimeError(
+                "Confluence authentication failed: base_url is empty. "
+                "Check your config's 'confluence.base_url'."
+            )
+        if not self.username or not self.api_token:
+            raise RuntimeError(
+                "Confluence authentication failed: check base_url, username, "
+                "and api_token. The username or api_token resolved to an empty "
+                "string — most likely the ${CONFLUENCE_API_TOKEN} environment "
+                "variable is not set. Verify your .env / .env.local file is "
+                "loaded before `gfa analyze` runs."
+            )
+
+        url = f"{self.base_url}/rest/api/space"
+        try:
+            response = self._session.get(
+                url,
+                params={"limit": 1},
+                timeout=self.connection_timeout,
+            )
+        except requests.RequestException as exc:
+            raise RuntimeError(
+                f"Confluence authentication failed: request error contacting "
+                f"{url}: {exc}. Check base_url and network connectivity."
+            ) from exc
+
+        if response.status_code in (401, 403):
+            raise RuntimeError(
+                "Confluence authentication failed: check base_url, username, "
+                f"and api_token (HTTP {response.status_code} from {url})."
+            )
+        if response.status_code >= 400:
+            raise RuntimeError(
+                f"Confluence pre-flight check failed with HTTP "
+                f"{response.status_code} from {url}: {response.text[:200]}"
+            )
+
     # ------------------------------------------------------------------
     # Public API
     # ------------------------------------------------------------------
diff --git a/src/gitflow_analytics/integrations/orchestrator.py b/src/gitflow_analytics/integrations/orchestrator.py
@@ -1,18 +1,21 @@
 """Integration orchestrator for multiple platforms."""
 
 import json
+import logging
 from datetime import datetime
 from typing import Any, Union
 
 from ..core.cache import GitAnalysisCache
 from ..pm_framework.orchestrator import PMFrameworkOrchestrator
 from ..utils.debug import is_debug_mode
 from .cicd.github_actions import GitHubActionsIntegration
-from .confluence_integration import ConfluenceIntegration
+from .confluence_integration import ConfluenceIntegration  # type: ignore[import-untyped]
 from .github_integration import GitHubIntegration
 from .github_issues_integration import GitHubIssuesIntegration
 from .jira_integration import JIRAIntegration
 
+logger = logging.getLogger(__name__)
+
 
 class IntegrationOrchestrator:
     """Orchestrate integrations with multiple platforms."""
@@ -106,7 +109,7 @@ def __init__(self, config: Any, cache: GitAnalysisCache):
             and getattr(confluence_cfg, "base_url", "")
         ):
             try:
-                self.integrations["confluence"] = ConfluenceIntegration(
+                confluence_integration = ConfluenceIntegration(
                     base_url=confluence_cfg.base_url,
                     username=confluence_cfg.username,
                     api_token=confluence_cfg.api_token,
@@ -118,9 +121,23 @@ def __init__(self, config: Any, cache: GitAnalysisCache):
                     max_retries=confluence_cfg.max_retries,
                     backoff_factor=confluence_cfg.backoff_factor,
                 )
-                if self.debug_mode:
-                    print("   ✅ Confluence integration initialized")
+
+                # Pre-flight credential verification (issue #33): catch 401s
+                # at init time so we can surface a clear error and disable
+                # the integration rather than silently producing empty
+                # reports later.
+                try:
+                    confluence_integration.verify_credentials()
+                except RuntimeError as auth_err:
+                    logger.warning("Disabling Confluence integration: %s", auth_err)
+                    if self.debug_mode:
+                        print(f"   ⚠️  Confluence disabled: {auth_err}")
+                else:
+                    self.integrations["confluence"] = confluence_integration
+                    if self.debug_mode:
+                        print("   ✅ Confluence integration initialized")
             except Exception as e:
+                logger.warning("Failed to initialize Confluence: %s", e)
                 if self.debug_mode:
                     print(f"   ⚠️  Failed to initialize Confluence: {e}")
 
@@ -302,7 +319,7 @@ def enrich_repository_data(
             conf = self.integrations["confluence"]
             if isinstance(conf, ConfluenceIntegration):
                 try:
-                    conf.fetch_all_spaces(since)
+                    conf.fetch_all_spaces(since)  # type: ignore[union-attr]
                     self._confluence_fetched = True
                 except Exception as e:
                     if self.debug_mode:
diff --git a/tests/core/test_metrics_storage_constraint_logging.py b/tests/core/test_metrics_storage_constraint_logging.py
diff --git a/tests/integrations/test_confluence_integration.py b/tests/integrations/test_confluence_integration.py
